Posts

Showing posts with the label DFARS

They’re Here! The Cybersecurity Maturity Model Certification Requirements for DoD Solicitations and Contracts Are Live. What Does This Mean for Your Organization?

  This alert serves to remind contractors of the much-ballyhooed Cybersecurity Maturity Model Certification (CMMC) and updates our previous articles on   the Department of Defense’s (DoD) proposed CMMC Program rule   and   DoD’s issuance of a new final rule , codified at Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021 (contract clause) and 252.204-7025 (solicitation provision). The new DFARS rule implements the CMMC Program’s requirements into DoD contracts over the course of a three-year phase-in period. This week, as of November 10, 2025, Phase 1 of this rule’s rollout has finally become effective, with significant implications for defense contractors. As discussed in our prior articles, the new CMMC rule will apply to defense contracts involving contractor information systems handling federal contract information (FCI) or controlled unclassified information (CUI) only . There is a significant exception for contracts solely for the acquisiti...

Recent DOJ Settlements Highlight Risks for Subcontractors Handling Sensitive Government Information

On September 30, the U.S. Department of Justice (DOJ) announced an $875,000 settlement with a university over failures to comply with the data security obligations in certain contracts with the Air Force and the Defense Advanced Research Projects Agency (DARPA) . This announcement, along with several other recent settlement announcements by the DOJ and its  Civil-Cyber Fraud Initiative , highlights the contract compliance risks for government contractors and subcontractors who handle sensitive government information and yet fail to comply with the federal government’s cybersecurity requirements.   The university’s case and several like it involve compliance with the requirements of  DFARS 252.204-7012  (Safeguarding Covered Defense Information and Cyber Incident Reporting). This DFARS clause is a federal regulation that establishes minimum standards for how defense contractors and subcontractors must protect sensitive government information and report cybersecur...

DOD Issues Final DFARS Rule for Cybersecurity Maturity Model Certification Program

WHAT:  The U.S. Department of Defense (DOD) has published the  final rule  amending the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements for the Cybersecurity Maturity Model Certification Program (CMMC). The final rule at long last sets a starting date for phasing in the CMMC program. WHEN:   DOD issued the final rule on September 10, 2025, so it will take effect on November 10, 2025. That effective date will mark the first day of the three-year phase-in effort that DOD previously prescribed in the  earlier final rule  (which we summarized  here ) establishing the CMMC program requirements in Title 32 of the Code of Federal Regulations.  See  32 CFR § 170.3(e). During the first year of the phase-in plan, the following will be applicable: For new contracts, DOD intends to require at least a self-assessment as a condition of award. DOD retains the discretion to require a third-party certificatio...

What Contractors Need to Know About DoD’s New IP Guidebook

Earlier this year, the Department of Defense (DoD) published an “Intellectual Property Guidebook for DoD Acquisition.” It is the culmination of many years of work and the most insightful data rights guidance out of the Department in at least two decades . Private practitioners may not agree with every characterization of the law and data rights regulations, but the IP Guidebook is particularly commendable for its transparency into DoD’s strategic framework for IP negotiations . Although written for government acquisition professionals, it should be mandatory reading for anyone delivering proprietary technology to DoD or defense contractors. Here are a few key takeaways for contractors: 1. Expect More “Use Case” and “VATEP” Solicitations. DoD’s IP strategy is built largely around the ideal of competitive, interest-based negotiations early in the acquisition lifecycle. [1]  To facilitate such negotiations, DoD has experimented in recent years with different solicitation criteria enco...

Navigating Cybersecurity and Traditional Compliance

  Do your organizational policies and procedures adhere to cybersecurity and traditional compliance regulations? In today’s interconnected world, organizations face a dual challenge: maintaining traditional compliance with legal and regulatory frameworks while safeguarding against cyber threats. The Department of Justice (DOJ) has been increasingly vigilant in addressing both cybersecurity compliance and traditional Federal Acquisition (FAR) and Defense Federal Acquisition Regulations Supplement (DFARS) compliance failures. The Insight Global LLC settlement underscores the critical need for organizations and individuals to address both aspects effectively. The Insight Global Settlement – Cybersecurity Compliance and Traditional Compliance Implication In May the DOJ announced that Insight Global agreed to pay $2.7 million to resolve allegations under the False Claims Act (FCA) [1] . Can your company afford such a monetary assessment? Could you survive the investigation? Insight Gl...